b'Federal Deposit Insurance Corporation\n3501 Fairfax Drive, Arlington, VA 22226                                                 Office of Inspector General\n\n\nDATE:                                     March 26, 2014\n\nMEMORANDUM TO:                            Martin J. Gruenberg\n                                          Chairman\n\n\n                                          /Signed/\nFROM:                                     Fred W. Gibson, Jr.\n                                          Acting Inspector General\n\nSUBJECT:                                  Reliability of Previously-Issued Audit Reports on the FDIC\xe2\x80\x99s\n                                          Information Security Program\n\n\nIn a memorandum dated May 30, 2013, the Office of Inspector General (OIG) informed you\nthat it had become aware of information related to the FDIC\xe2\x80\x99s information security program\nthat could affect the reliability of two previously-issued audit reports\xe2\x80\x94Independent Evaluation\nof the FDIC\xe2\x80\x99s Information Security Program\xe2\x80\x942011 (Report No. AUD-12-002, dated\nOctober 31, 2011) and Independent Evaluation of the FDIC\xe2\x80\x99s Information Security Program\xe2\x80\x94\n2012 (Report No. AUD-13-003, dated November 5, 2012). These reports were not made\navailable to the public due to the sensitive nature of the information they contained. Only the\nreports\xe2\x80\x99 Executive Summaries, which did not contain sensitive information, were posted on our\npublic Web site.\n\nConsistent with Government Auditing Standards, we provided notice to users of the reports\nthat the associated findings and conclusions may not be reliable. Further, we performed\nexpanded audit procedures during 2013 to assess the impact of the information on the earlier\nreports. Based on those procedures, we determined that the findings and conclusions related to\nIncident Response and Reporting and Risk Management in both reports were not reliable, but\nthat the reports\xe2\x80\x99 other findings and conclusions were reliable, and the associated\nrecommendations were valid. The results of our expanded audit procedures are described in\nour audit report, entitled Independent Evaluation of the FDIC\xe2\x80\x99s Information Security\nProgram\xe2\x80\x942013 (Report No. AUD-14-002, dated November 21, 2013).\n\nWe plan to link this memorandum to the Executive Summaries of the earlier audit reports\nposted on our public Web site to clarify the associated findings and conclusions.\n\nIf you have questions or concerns regarding this matter, please contact me at (703) 562-6339.\n\x0c                                      Executive Summary\n\n                                      Independent Evaluation of the FDIC\xe2\x80\x99s\n                                      Information Security Program\xe2\x80\x942012\n                                                                                       Report No. AUD-13-003\n                                                                                              November 2012\n\nWhy We Did The Audit\nThe Federal Information Security Management Act of 2002 (FISMA) requires federal agencies, including\nthe FDIC, to perform annual independent evaluations of their information security programs and practices\nand to report the evaluation results to the Office of Management and Budget (OMB). FISMA states that\nthe independent evaluations are to be performed by the agency Inspector General (IG), or an independent\nexternal auditor as determined by the IG.\n\nThe objective of this performance audit was to evaluate the effectiveness of the FDIC\xe2\x80\x99s information\nsecurity program and practices, including the FDIC\xe2\x80\x99s compliance with FISMA and related information\nsecurity policies, procedures, standards, and guidelines.\n\nBackground\nKey to achieving the FDIC\xe2\x80\x99s mission of maintaining stability and public confidence in the nation\xe2\x80\x99s\nfinancial system is safeguarding the sensitive information, including personally identifiable information,\nthat the FDIC collects and manages in its role as federal deposit insurer and regulator of state non-\nmember financial institutions. As an employer, an acquirer of services, and a receiver for failed\ninstitutions, the FDIC also obtains considerable amounts of sensitive information from its employees,\ncontractors, and failed institutions. Further, the FDIC has begun collecting sensitive information, such as\nresolution plans for systemically important financial institutions, pursuant to its responsibilities under the\nDodd-Frank Wall Street Reform and Consumer Protection Act. Implementing proper controls over this\ninformation is critical to mitigating the risk of a negative financial impact upon insured institutions or an\nunauthorized disclosure that could lead to identity theft, consumer fraud, and potential legal liability or\npublic embarrassment for the Corporation.\n\nFISMA requires federal agencies, including the FDIC, to develop, document, and implement agency-wide\ninformation security programs to provide security for their information and information systems and to\nsupport the operations and assets of the agencies, including information and information systems that are\nprovided or managed by another agency, contractor, or other source. FISMA directs the National Institute\nof Standards and Technology (NIST) to develop risk-based standards and guidelines to assist agencies in\ndefining security requirements for their information systems. In addition, OMB issues information\nsecurity policies and guidelines for federal information resources pursuant to various statutory authorities.\nIn this regard, OMB issued Memorandum M-12-20, FY 2012 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management, dated October 2, 2012. This\nmemorandum provides the heads of executive departments and agencies with instructions for meeting\ntheir reporting requirements under FISMA and for reporting on their privacy management programs.\n\nThe Department of Homeland Security (DHS) exercises primary responsibility within the Executive\nBranch for the operational aspects of federal agency cybersecurity with respect to the federal information\nsystems that fall within the scope of FISMA. DHS\xe2\x80\x99s responsibilities include overseeing agency\ncompliance with FISMA and formulating analyses for OMB\xe2\x80\x99s use in the development of its annual\nFISMA report to the Congress. DHS provided agency IGs with a set of security-related questions to\naddress their FISMA reporting responsibilities in a March 6, 2012 document entitled, FY 2012 Inspector\nGeneral Federal Information Security Management Act Reporting Metrics.\n\nWe evaluated the effectiveness of the FDIC\xe2\x80\x99s information security program and practices by designing\naudit procedures to assess consistency between the FDIC\xe2\x80\x99s security controls and FISMA requirements,\nOMB policy and guidelines, and applicable NIST standards and guidelines in the areas covered by the\n                                                    i\n\x0c                                    Independent Evaluation of the FDIC\xe2\x80\x99s\n  Executive Summary\n                                    Information Security Program\xe2\x80\x942012\n                                                                                    Report No. AUD-13-003\n                                                                                           November 2012\n\nDHS questions. We are required to submit our responses to the DHS questions through OMB\xe2\x80\x99s FISMA\nreporting platform\xe2\x80\x94CyberScope\xe2\x80\x94by November 15, 2012.\n\nAudit Results\nWe concluded that, except as noted below, the FDIC had established and maintained information security\nprogram controls that were generally consistent with FISMA requirements, OMB policy and guidelines,\nand applicable NIST standards and guidelines for the security control areas that we evaluated. Of\nparticular note, the FDIC had established security policies and procedures in almost all of the security\ncontrol areas evaluated. The FDIC also continued to make meaningful progress on a multi-year initiative\nto improve its agency-wide Continuous Monitoring controls designed to facilitate near real-time risk\nmanagement and promote organizational situational awareness with regard to the state of security of the\nFDIC\xe2\x80\x99s information systems.\n\nNotwithstanding the above achievements, management attention is warranted in several security control\nareas, particularly Plan of Action and Milestones (POA&Ms), Contractor Systems, and Risk\nManagement. Specifically, planned actions to address a large number of high- and moderate-risk security\nvulnerabilities were significantly past their scheduled completion dates on POA&Ms, limiting the FDIC\xe2\x80\x99s\nassurance that sensitive information and information technology (IT) resources are adequately protected.\nIn addition, risk in the area of Contractor Systems remains elevated due to the FDIC\xe2\x80\x99s continued heavy\nreliance on contractors to support bank resolution and receivership activities. While the FDIC has\ndeveloped a risk-based strategy and formal methodology for assessing risks associated with Contractor\nSystems, significant work remains to apply the methodology to all of the FDIC\xe2\x80\x99s outsourced information\nservice providers. With respect to Risk Management, our report describes an approach that the FDIC can\ntake to help ensure that business-led application development efforts are incorporated into the FDIC\xe2\x80\x99s risk\nmanagement framework and IT governance processes.\n\nThe FDIC\xe2\x80\x99s business divisions and offices play a critical role in the successful implementation of the\nFDIC\xe2\x80\x99s information security program, including those areas where we found that management attention\nwas warranted. In this regard, the Chief Information Officer (CIO) will need to coordinate with other\nsenior FDIC management officials to ensure that program-related priorities are balanced with the need to\naddress the Corporation\xe2\x80\x99s information security requirements.\n\nRecommendations and Corporation Comments\nOur report contains 14 recommendations to improve the effectiveness of the FDIC\xe2\x80\x99s information security\nprogram controls. In many cases, the FDIC was already working to strengthen security controls in these\nareas during our audit. We identified certain other potential control enhancements that we did not\nconsider significant within the context of the audit\xe2\x80\x99s objective. We communicated those matters\nseparately to appropriate FDIC management officials.\n\nOn November 2, 2012, the FDIC\xe2\x80\x99s CIO, who also serves as Director, Division of Information\nTechnology, and the Director, Division of Administration, provided a written response to a draft of this\nreport. In the response, FDIC management concurred with all 14 of the report\xe2\x80\x99s recommendations and\ndescribed planned corrective actions that were responsive.\n\nBecause this report contains sensitive information, we do not intend to make the report available to the\npublic in its entirety. We will, however, post this Executive Summary on our public Web site.\n\n                                                     ii\n\x0c'